Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault LDAP authentication does not check if a user is diabled #1568

Closed
SuperMatt opened this issue Jun 28, 2016 · 5 comments
Closed

Vault LDAP authentication does not check if a user is diabled #1568

SuperMatt opened this issue Jun 28, 2016 · 5 comments

Comments

@SuperMatt
Copy link

After doing some testing, I have found that when an account is disabled in vault's ldap auth backend, the token that was created for that user to connect remains valid.

By default, there is no TTL for the token generated by the LDAP backend, and there appears to be no method to set one. This means that if someone leaves an organization, if they take their token with them, they will still be able to connect to vault.

Either vault needs to connect to ldap each time to see if the account is enabled or not, it needs the ability to set a sufficiently low ttl - like 5 minutes, or ideally both.
@SuperMatt
Copy link
Author

I've found that the mount's default TTL can be set with the following:

./vault mount-tune -default-lease-ttl=24h -max-lease-ttl=24h auth/ldap

However, it would still be best to double check with LDAP that the account hasn't been deactivated.

@jefferai
Copy link
Member

By default, there is no TTL for the token generated by the LDAP backend

All tokens have a TTL. You can use mount-tune to adjust the default and max for the backend, however, please note that this command succeeds pre-0.6 but only works properly in 0.6+ for auth/ mounts.

Is there a standard way to check for account disabling on LDAP servers?

@SuperMatt
Copy link
Author

SuperMatt commented Jun 28, 2016
edited
Loading

Despite using mount-tune on 0.6, after logging in with a new user to create a new token, there is still no TTL

./vault mount-tune -default-lease-ttl=24h -max-lease-ttl=24h auth/ldap
...
./vault auth -method=ldap username=testuser
...
./vault token-lookup zzzzzzzz-yyyy-xxxx-wwww-vvvvvvvv
Key                 Value
---                 -----
accessor            aaaaaaaa-bbbb-cccc-dddd-eeeeeeee
creation_time       1467125386
creation_ttl        0
display_name        ldap-testaccount
explicit_max_ttl    0
id                  zzzzzzzz-yyyy-xxxx-wwww-vvvvvvvv
meta                map[policies:root username:testaccount]
num_uses            0
orphan              true
path                auth/ldap/login/testaccount
policies            [root]
renewable           false
role
ttl                 0

Is it possible I'm doing something wrong?

@jefferai
Copy link
Member

Root tokens do not expire and so have no TTL. I didn't figure that you were using a root token since they're generally not recommended for use, ever.

@SuperMatt
Copy link
Author

Aha, that works, thank you.

@jbarnett1981 jbarnett1981 mentioned this issue Nov 2, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jefferai @SuperMatt